Keys

The keys need to be identified, the documentation about
this is a bit confusing.

For the following the Key ID is a 8 hex digit identifier
from the 40 hex digit long (Primary) Key Fingerprint and is
therefore more handy as dealing with the 40 hex digits.

There are creation, expiration and revocation dates.

Keys contain Real name, e-mail address and Comment, those
elements can also be used to find the Key ID. The key can
hold lots of other stuff as preferred key server, photo and
many more.

Key
servers

To work with gpg, the public keys need
to be exchanged and imported into the local PC. This can be
done using files, an other way is using key servers.

Note

If the keys are once uploaded to a key server, then they
stay there, forever (also when expired or revoked)

The name of the key server can often be passed to the
command using a command line option as --keyserver subkeys.pgp.net
but the default keyservers can be configured in the file
~/.gnupg/gpg.conf.

Keys can be found on the keyserver when an e-mail address
or the User Name (=Real name) is known. This is because the
user ID composes from Real name, e-mail and comment and is
inside the key:

gpg --search-keys <e-mail
address>

gpg --search-keys Urs
Lindegger

Getting
public keys

The Key ID must be published somewhere or can be found
using:

gpg --search-keys <e-mail
address>

When found simply pressing the corresponding number
imports it.

Alternatively it can be imported using:

gpg --keyserver
subkeys.pgp.net --recv-keys <Key
ID> the public key (or keys)
can be imported. This can be verified using gpg --list-keys

Gnupg creates the directory ~/.gnupg where all keys reside. The file
~/.gnupg/gpg.conf holds the
configuration.

Produce
your keys

gpg
--gen-key produces the two keys belonging to
you. You should limit the time the key is valid.

Select the default encryption settings. Important is the
passphrase to be entered. The passphrase will be used as a
password to perform all later actions.

You need to enter Real name, Email address and
comment.

This forms then the USER_ID: "<Real name> (<Comment>)
<<e-mail
address>>"

gpg
--list-keys to see the key you have got.

gpg
--list-secret-keys lists the secret keys you
have

Important

When created the keys it is wise to think about when you
loose your keys or when somebody would get a hold of your
keys. Therefore create a revocation certificate as
compromise (For normal speaking people this means create a
file that you need to make the key invalid).

gpg --output revoke.asc
--gen-revoke <Key
ID>

It wants to know a reasons why such a certificate has to
be created select 1 = Key has been compromised for the reason
for the revocation.

Important

You have to enter the passphrase from above.

Backup the contains of ~/.gnupg on a memory medium. Also move the
revocation file revoke.asc to this media and delete it from
the computer (or move it int a encrypted place) and store it
in a safe place.

The keys can sent to a key server gpg --send-keys <Key
ID>

To get it out of the keyserver goes usually in two
steps:

gpg --import
my-revocation.asc

gpg --keyserver
certserver.pgp.com --send-keys <Key
ID>

Modifying
keys

Keys can be exported gpg
--export the output goes to the screen in
binary format. So better to use gpg --armor --export to get
ASCII. Or put it into a file gpg --armor --export --output <filename>
or just one user gpg --armor
--output <filename> --export
<users
e-mail>

They can also be imported gpg -import <filename>

gpg --delete-key <Key
ID> deletes them from the
local PC but not from the key server, since you are probably
not the owner.

Type gpg
--edit-key<Key
ID> brings you in a
interactive loop, where you can type commands as help. As you can see all
kinds of modifications can be done.

To see what you have showpref

The expire date can be modified with expire

A keyserver could be added with keyserver so when
signed emails arrive, the receiver knows where the get
the public key, however the major keyserver exchange
the public keys among each others. keyserver none
deletes it

Add a photo with addphoto

Refresh the keys: gpg
--refresh-keys

List the keys showing the fingerprint: gpg --fingerprint

Cryptographic
signature

Textfiles (but also binary files) can be signed. There are
different options.

gpg --sign <filename>
adds a signature to the file but converts all to be
unreadable

gpg --clearsign <filename>
adds a signature but stays readable

gpg --detach-sign <filename>
creates a separate file that is not readable containing the
signature

After importing the Key from the author (e.g. using its
Key ID), the file can be verified using a command as
gpg --verify <filename>

Encryption and
decryption

gpg --encrypt <filename>
to encrypt (destination user must be specified)

gpg --recipient "Urs
Lindegger" --encrypt <filename>
to encrypt it for a destination user

gpg --decrypt <filename>
to decrypt (passphrase is required)

Gui tools

Evolution can sign the e-mail it sends, all it needs is
adding the Key ID into the mails account configuration data
under security and enabling it. The first time it asks for
the passphrase, but then it can use its internal
authentication methods to get rid of continuously asking for
it.

Gpg Agent

When working with gpg encryption decryption
you often have to type in the passphrase. You can set a
gpg agent to
reduce this.

Network Information
Service

Network Information Service (former yellow pages) is used
to share information among a small network. it allows to have
user names and passwords consistent over a network. Since
this information does not pass encrypted over the network
LDAP and Kerberos are recommended.